TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Main TiVo Forums > TiVo Series3 HDTV DVRs
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 05-29-2009, 08:46 AM   #1
zabolots
Registered User
 
Join Date: May 2007
Location: NW Chicago Suburbs
Posts: 71
MOCA Network Security

I know a few people here are running with MOCA adapters to provide ethernet to their Tivo units. I'm hoping somebody can answer this for me.

How secure is a home network with MOCA? Obviously, the devices are connected to the coax in the home, which in turn runs out to the street and is connected to the nearest "hub" in the neighborhood. Is there some type of filter that you put on the inbound coax line to prevent the MOCA signals from leaving your house? Alternately, is there some security setup to be done on the MOCA devices themselves to encrypt data so only local devices can see each other?

Thanks...Scott
zabolots is offline   Reply With Quote
Old 05-29-2009, 09:13 AM   #2
sinanju
Registered User
 
Join Date: Jan 2005
Posts: 586
MoCA uses DES encryption.

Of course, if you have FiOS, the coax doesn't leave the house.
sinanju is offline   Reply With Quote
Old 05-29-2009, 10:10 AM   #3
zabolots
Registered User
 
Join Date: May 2007
Location: NW Chicago Suburbs
Posts: 71
Quote:
Originally Posted by sinanju View Post
MoCA uses DES encryption.

Of course, if you have FiOS, the coax doesn't leave the house.

So do you need to configure each MoCA box in the house to use the same encryption key? I thought it was simple plug-and-play.
zabolots is offline   Reply With Quote
Old 05-29-2009, 10:18 AM   #4
aaronwt
HD Addict
 
aaronwt's Avatar
 
Join Date: Jan 2002
Location: Northern VA(Woodbridge)
Posts: 14,070
Yes. Just like wireless. But it's still basically plug and play. You just have to enter the decryption key during setup.
__________________
Roamio Pro
TiVo Mini x4
Roamio Basic OTA
39TB unRAID1--53TB unRAID2--36TB unRAID3
XBL/PSN: WormholeXtreme
aaronwt is offline   Reply With Quote
Old 05-29-2009, 10:28 AM   #5
fyodor
Registered User
 
Join Date: Sep 2006
Posts: 444
It's my (non-authoritative) understanding that the signal is designed specifically so it doesn't make it through the feeds entering back through your home/unit.

Also, I've never been able to get it to work back through amplified splitters, so insofar as you have one of those at your drop, you're probably protected.

You also need someone be living nearby also with a moca adapter connected to their cable.

F
fyodor is offline   Reply With Quote
Old 05-29-2009, 11:40 AM   #6
skillmey
Registered User
 
Join Date: Feb 2009
Posts: 5
If you have FioS, you can't turn the password on if you want to stay connected to their network. However, you don't have to worry about security since the cable is isolated from other homes.

If you don't have FioS, you can just enable a password on each device. Although it's not likely that the signal is going to go all the way from one house to the next, but it really depends on the cable network. So if you're paranoid, turn it on.
skillmey is offline   Reply With Quote
Old 05-30-2009, 06:16 AM   #7
DCIFRTHS
I dumped SDV / cable
 
DCIFRTHS's Avatar
 
Join Date: Jan 2000
Location: New York
Posts: 2,075
Quote:
Originally Posted by skillmey View Post
If you have FioS, you can't turn the password on if you want to stay connected to their network. However, you don't have to worry about security since the cable is isolated from other homes.

If you don't have FioS, you can just enable a password on each device. Although it's not likely that the signal is going to go all the way from one house to the next, but it really depends on the cable network. So if you're paranoid, turn it on.
I never understood how a person could see another person's "computer", without sniffing packets, even if you both connect to the same node

I imagine that the node would have to allow broadcasting of all upstream traffic, on the cable, before it converts the RF to light. Is this a reasonable guess?
DCIFRTHS is offline   Reply With Quote
Old 05-30-2009, 08:44 AM   #8
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,078
Quote:
Originally Posted by DCIFRTHS View Post
I never understood how a person could see another person's "computer", without sniffing packets, even if you both connect to the same node
Sniffing packets is not especially difficult, so I see no need for that qualifier. But also, a lot of stuff, like Windows file sharing and even TiVo MRV/TTG, uses broadcast packets to find other systems. This shouldn't be a problem as long as you're behind a NAT, but it's possible (and used to be common) to hook up a PC directly to a cable modem. In such a case, you could open up "Network Neighborhood" and literally see your neighbors' systems.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 06-01-2009, 06:31 AM   #9
DCIFRTHS
I dumped SDV / cable
 
DCIFRTHS's Avatar
 
Join Date: Jan 2000
Location: New York
Posts: 2,075
Quote:
Originally Posted by wmcbrine View Post
Sniffing packets is not especially difficult, so I see no need for that qualifier. But also, a lot of stuff, like Windows file sharing and even TiVo MRV/TTG, uses broadcast packets to find other systems. This shouldn't be a problem as long as you're behind a NAT, but it's possible (and used to be common) to hook up a PC directly to a cable modem. In such a case, you could open up "Network Neighborhood" and literally see your neighbors' systems.
Ah... I didn't consider that people hooked their computer(s) directly to a cable modem without a firewall in between. I have never considered doing something like that.

Even when I first got symmetrical DSL (approximately 1999) from Covad, and Northpoint) I used software firewall solutions (Black Ice / Zone Alarm). That was long time ago, so my dates are approximate. It also doesn't help that my memory isn't as sharp as it once was

grc.com was one of my favorite websites.
DCIFRTHS is offline   Reply With Quote
Old 06-27-2009, 03:48 PM   #10
flynz4
Registered User
 
Join Date: Jun 2009
Location: Portland, OR
Posts: 55
I have Verizon Fios, and I am upgrading my DVRs. I currently have 3 Verzion (Motorola) DVRs (with internal MoCA) that will be replaced by 3 Tivo HDs (one is XL) and 3 NIM 100's.

My question is around security. In my current setup:
  1. Fiber enters the ONP attached to the garage
  2. ONP is connected to my Verizon Actiontec home router with coax (internal MoCA)
  3. ONP is also connected via coax to each of my three television set top boxes (internal MoCA)
  4. Actiontec router has a NAT firewall
  5. Actiontec router drives my internal wired and wireless home network
It seems to me that by definition... my wired/wireless home network is behind the NAT firewall... and that my television set top boxes (MoCA) are outside of the NAT firewall. Doesn't that create a security risk since I have equipment connected outside of my NAT firewall?

/Jim
flynz4 is offline   Reply With Quote
Old 06-27-2009, 04:54 PM   #11
socrplyr
Registered User
 
Join Date: Jul 2006
Posts: 1,012
Quote:
Originally Posted by flynz4 View Post
I have Verizon Fios, and I am upgrading my DVRs. I currently have 3 Verzion (Motorola) DVRs (with internal MoCA) that will be replaced by 3 Tivo HDs (one is XL) and 3 NIM 100's.

My question is around security. In my current setup:
  1. Fiber enters the ONP attached to the garage
  2. ONP is connected to my Verizon Actiontec home router with coax (internal MoCA)
  3. ONP is also connected via coax to each of my three television set top boxes (internal MoCA)
  4. Actiontec router has a NAT firewall
  5. Actiontec router drives my internal wired and wireless home network
It seems to me that by definition... my wired/wireless home network is behind the NAT firewall... and that my television set top boxes (MoCA) are outside of the NAT firewall. Doesn't that create a security risk since I have equipment connected outside of my NAT firewall?

/Jim
The internal MoCA adapter in the actiontec router is on the internal side of the router.
socrplyr is offline   Reply With Quote
Old 06-27-2009, 05:37 PM   #12
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,078
Quote:
Originally Posted by flynz4 View Post
Doesn't that create a security risk since I have equipment connected outside of my NAT firewall?
You're concerned about people hacking your set-top boxes? Seriously?

Anyway, no -- as far as the IP network is concerned, your STBs are also behind the firewall. IP traffic flows from the STB to the router, and from the router to the ONT (note: not "ONP"). Only QAM video goes directly from the ONT to the STBs. If you doubt it, disconnect the router, and you should see VOD stop working.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 06-27-2009, 06:35 PM   #13
flynz4
Registered User
 
Join Date: Jun 2009
Location: Portland, OR
Posts: 55
Quote:
Originally Posted by wmcbrine View Post
You're concerned about people hacking your set-top boxes? Seriously?

Anyway, no -- as far as the IP network is concerned, your STBs are also behind the firewall. IP traffic flows from the STB to the router, and from the router to the ONT (note: not "ONP"). Only QAM video goes directly from the ONT to the STBs. If you doubt it, disconnect the router, and you should see VOD stop working.
I am not worried about someone hacking my STB... I am worried about someone bypassing my NAT in the router. I also stand corrected on "ONT" (instead of "ONP").

The thing that is confusing to me, is that the WAN input to my Actiontec router is the coax cable. Also, this same coax cable is what connects the router to the STBs. So you are saying that somehow, this coax input to my router is simultaneously on the WAN and LAN side of the router.

My next question is in regard to the NIM 100 boxes. Can I connect other equipment (ex: a PC) to the RJ45 jacks in addition to the new Tivo units? If so... is there still no security concern? In practice, I am not really considering adding other devices at this time... but I am curious about their operation.

/Jim
flynz4 is offline   Reply With Quote
Old 06-27-2009, 06:49 PM   #14
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,078
Even if the STBs were outside the NAT (which they aren't), that would not constitute a security risk. Only the STBs themselves would be vulnerable; there would be no path from them to the inside of the NAT.

There is no difficulty in the single jack serving as both LAN and WAN interfaces, nor does that constitute a security risk, either. And yes, you can hook up anything you want to the MoCA adapters.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 06-27-2009, 07:00 PM   #15
flynz4
Registered User
 
Join Date: Jun 2009
Location: Portland, OR
Posts: 55
Quote:
Originally Posted by wmcbrine View Post
Even if the STBs were outside the NAT (which they aren't), that would not constitute a security risk. Only the STBs themselves would be vulnerable; there would be no path from them to the inside of the NAT.

There is no difficulty in the single jack serving as both LAN and WAN interfaces, nor does that constitute a security risk, either. And yes, you can hook up anything you want to the MoCA adapters.
Thanks. The answer is non-intuitive to me, but I realize that your answer must be correct. When I look at my IP address assignments... I can see that my STBs are indeed on the LAN side of my router.

Next question: When I disconnect my 3 Verizon (Motorola) STBs, and attach the 3 Tivos through the new NIM 100's... is there any setup necessary for the NIM 100's... or is it simply plug and play?

/Jim
flynz4 is offline   Reply With Quote
Old 06-28-2009, 11:43 AM   #16
fyodor
Registered User
 
Join Date: Sep 2006
Posts: 444
Quote:
Originally Posted by flynz4 View Post
Thanks. The answer is non-intuitive to me, but I realize that your answer must be correct. When I look at my IP address assignments... I can see that my STBs are indeed on the LAN side of my router.

Next question: When I disconnect my 3 Verizon (Motorola) STBs, and attach the 3 Tivos through the new NIM 100's... is there any setup necessary for the NIM 100's... or is it simply plug and play?

/Jim
It's completely plug and play. As far as the Tivo knows, it's directly connected to your router.
fyodor is offline   Reply With Quote
Old 06-28-2009, 11:47 AM   #17
fyodor
Registered User
 
Join Date: Sep 2006
Posts: 444
Quote:
Originally Posted by flynz4 View Post

The thing that is confusing to me, is that the WAN input to my Actiontec router is the coax cable. Also, this same coax cable is what connects the router to the STBs. So you are saying that somehow, this coax input to my router is simultaneously on the WAN and LAN side of the router.


/Jim
Keep in mind, that just because they're sharing a physical medium, doesn't mean that they can communicate. So even if though there is a physical link between them, the devices connected through the MoCA adapter can't communicate with the ONT. They need to communicate with your router, which can communicate with the ONT.

F
fyodor is offline   Reply With Quote
Old 06-28-2009, 02:50 PM   #18
flynz4
Registered User
 
Join Date: Jun 2009
Location: Portland, OR
Posts: 55
Quote:
Originally Posted by fyodor View Post
Keep in mind, that just because they're sharing a physical medium, doesn't mean that they can communicate. So even if though there is a physical link between them, the devices connected through the MoCA adapter can't communicate with the ONT. They need to communicate with your router, which can communicate with the ONT.

F
Yes... this was the confusing part. I guess we are programmed to believe that the WAN and the LAN would be on different physical medium. Thanks again for both of your replies!

/Jim
flynz4 is offline   Reply With Quote
Old 12-17-2013, 11:08 AM   #19
danis123
Registered User
 
Join Date: Dec 2013
Posts: 2
COAX Terminated Outside The House

Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX is run from the ONT & Router (as the router is just connected to a splitter inside the house which goes to the ONT and the outside splitter) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????

Last edited by danis123 : 12-17-2013 at 12:45 PM.
danis123 is offline   Reply With Quote
Old 12-17-2013, 12:28 PM   #20
unitron
Registered User
 
unitron's Avatar
 
Join Date: Apr 2006
Location: semi-coastal NC
Posts: 13,557
Quote:
Originally Posted by danis123 View Post
Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX it run from the ONT & Router (as the router is just connected to a spliiter which is inside) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????
A big mean dog?
__________________
(thisismysigfile)


"I am altering the deal. Pray I don't alter it any further."

Darth TiVo, 14 February, 2011
unitron is offline   Reply With Quote
Old 12-17-2013, 12:43 PM   #21
danis123
Registered User
 
Join Date: Dec 2013
Posts: 2
big mean dog

Quote:
Originally Posted by unitron View Post
A big mean dog?
Ha - I guess that's one way to secure your FIOS network. Didn't see anything about "a big mean dog" in the subscriber agreement. Acquiring a big mean dog does add to the overall cost of ownership.
danis123 is offline   Reply With Quote
Old 12-17-2013, 02:21 PM   #22
dianebrat
Uncontrolled Force
 
dianebrat's Avatar
 
Join Date: Jul 2002
Location: boston'ish
Posts: 7,821
Quote:
Originally Posted by danis123 View Post
Many people have upgraded from other cable providers to FIOS. Many of the old cable providers had runs going to each TV set which all terminated at spliters located outside the house (mounted to the side of the house). In that case the FIOS COAX is run from the ONT & Router (as the router is just connected to a splitter inside the house which goes to the ONT and the outside splitter) to the outside splitter. If verizon does not encrypt their MOCA then what stops someone from just attaching a MOCA network adapter to the splitter outside of the house and getting onto your network behind the NAT?????
Physical access will always give someone a huge edge in hacking a network.
However I'm not paranoid enough to even give a damn about someone physically connecting to my external FiOS MoCA connection, others may not share my views.
__________________
"There is a distinct difference between having an open mind and having a hole in your head from which your brain leaks out."
dianebrat is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 05:37 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |